[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-dev
Subject: Re: [Openswan dev] MTU: tcpdump vs pmtu 1446
From: Vincent Tamet <vincent.tamet () ilimit ! net>
Date: 2011-03-30 10:40:00
Message-ID: 333636ee-5fbf-47df-9621-30f3d3426fea () zimbra
[Download RAW message or body]
Hi,
I post my problem to a cisco forum (https://supportforums.cisco.com/thread/2067814), \
wzhang answer to me, my last post:
Thanks you very much !
I can't done the last tcpdump because have a frag problem, explained rapidly in the \
bottom.
I test with a ping -c 1 -s 1418 192.168.2.5
Encapsulating Security Payload (Tunnel Mode)
IP Tunnel header 20
ESP Header
Security Parameters Index [SPI] 4
Sequence Number 4
Payload data (variable)
Initialization Vector [IV] IOS ESP-DES-3DES 8
Data (Variable) 1446
IP Origin header 20
ICMP Header 8
Data 1418
Padding Encrypt IOS ESP-DES-3DES (variable 0->7) 0
ESP Trailer
Pad Length 8 bits 1
Next Header 8 bits 1
ESP Authentication Data (Variable x4?)
Integrity Check Value [ICV] ESP MD5 96 digest 12
Padding Auth 0
-------
1496 < 1500
I use this to compute the pad:
8+(1446)+1+1= 1456
1456/8 = 182.00
1456-(182*8) = 0 so without padding
If we calcul for a ping -c 1 -s 1419 192.168.2.5
Encapsulating Security Payload (Tunnel Mode)
IP Tunnel header 20
ESP Header
Security Parameters Index [SPI] 4
Sequence Number 4
Payload data (variable)
Initialization Vector [IV] IOS ESP-DES-3DES 8
Data (Variable) 1447
IP Origin header 20
ICMP Header 8
Data 1419
Padding Encrypt IOS ESP-DES-3DES (variable 0->7) 7
ESP Trailer
Pad Length 8 bits 1
Next Header 8 bits 1
ESP Authentication Data (Variable x4?)
Integrity Check Value [ICV] ESP MD5 96 digest 12
Padding Auth 0
-------
1504 > 1500
And for the pad:
8+(1447)+1+1= 1457
1457/8 = 182.12
1457-(182*8) = 1 If not =0 we need to calcul the padding
8-1=7
Still have some problem with fragmentation in cisco, so I not be able to confirm this \
with tcpdump because the cisco start to fragment my paquet before the 1418 limit size \
of data, and for now not fragment for 1410 bytes of data but yes do frag for 1411 \
bytes paquet size: https://supportforums.cisco.com/thread/2075689
Don't know why but always had problem with the 8 magic lost bytes in cisco 8xx \
product !!!
I have a another discution with a opened tiquet to cisco support for an another lost \
of 8 bytes: https://supportforums.cisco.com/thread/2058182
And this one is a 8 bytes problem too about a frag problem: \
https://supportforums.cisco.com/thread/2066638
Best regards.
----- Mail original -----
De: "Vincent Tamet" <vincent.tamet@ilimit.net>
À: dev@openswan.org
Cc: osg@free.fr
Envoyé: Lundi 31 Janvier 2011 13:50:32
Objet: [Openswan dev] MTU: tcpdump vs pmtu 1446
Hi,
I'm trying to understand why the MTU in my test tunnel is 1446.
Ruben in the irc canal #openswan, tell me to try here.
The 2 linux-box are in the same ethernet lan.
Mode Tunnel: 3des/md5-96
My calculs:
MTU IP SPI SN IV Data Pad PL NH AUTH
1500 -20 -4 -4 -( 8 x ) -0 -1 -1 -12 = 1450
The PMTU from a ping -M do give me 1446.
Can't understand where the problem is, I must miss something, but what ?
Best regards
Vincent Tamet.
OSG[PCQ]
PS: The dump is from a lan to internet configuration, but it's the same results.
-----------------------------------------------------------------------------
* ping 192.168.3.1 -c 1 -s 2
17:25:56.555463 00:06:5b:8a:a4:2b > 00:24:14:d9:f1:90, ethertype IPv4 (0x0800), \
length 44: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 30) \
192.168.2.5 > 192.168.3.1: ICMP echo request, id 46448, seq 1, length 10 0x0000: \
4500 001e 0000 4000 4001 b488 c0a8 0205 E.....@.@....... 0x0010: c0a8 0301 0800 \
428d b570 0001 0001 ......B..p....
-----------------------------------------------------------------------------
16:25:59.221603 08:1f:f3:e7:0e:65 > 00:23:7d:fd:bb:04, ethertype IPv4 (0x0800), \
length 94: (tos 0x0, ttl 253, id 1992, offset 0, flags [DF], proto ESP (50), length \
80) 80.94.1.136 > 10.0.0.2: ESP(spi=0xdb14b228,seq=0x8), length 60 0x0000: 4500 \
0050 07c8 4000 fd32 19cc 505e 0188 E..P..@..2..P^.. 0x0010: 0a00 0002 db14 b228 \
0000 0008 5957 445a .......(....YWDZ 0x0020: 5dcd 42b4 4500 001e 0000 4000 3f01 \
b588 ].B.E.....@.?... 0x0030: c0a8 0205 c0a8 0301 0800 428d b570 0001 \
..........B..p.. 0x0040: 0001 0004 58c2 f376 69fa ede5 2584 f199 ....X..vi...%...
-----------------------------------------------------------------------------
_______________________________________________
Dev mailing list
Dev@openswan.org
http://lists.openswan.org/mailman/listinfo/dev
_______________________________________________
Dev mailing list
Dev@openswan.org
http://lists.openswan.org/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic